1 / 0

Topics in Internet Security

Topics in Internet Security. STC Training Tuesday, August 23 2011 Brian Allen, CISSP brianallen@wustl.edu Network Security Analyst, Washington University in St. Louis http ://nso.wustl.edu/presentations/. Let’s Talk About. Email Security Password Managers PNA Examples Phishing Examples

nerys
Télécharger la présentation

Topics in Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topics in Internet Security

    STC TrainingTuesday, August 23 2011 Brian Allen, CISSPbrianallen@wustl.eduNetwork Security Analyst,Washington University in St. Louishttp://nso.wustl.edu/presentations/
  2. Let’s Talk About Email Security Password Managers PNA Examples Phishing Examples Top Ten Security Tips Virus Example and Case Study
  3. Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture Engineering School

  4. Password Managers

  5. Free Password Managers KeePass – I use this one Called KeePassX for the Mac Password Safe I Use Dropbox.com to store my KeePass file so I can always access it
  6. KeePass
  7. KeePass

  8. Email Security

  9. Email Security Tip #1 Do not click on links in emails
  10. Email Security Tip #2 See Tip #1
  11. Spam Product Supplier Accountant Seller 1 Seller 2 Seller 3 Spammer3 Spammer1 Spammer1 Spammer3 Spammer2 Spammer2 Spammer1 Spammer3 Spammer2
  12. Where Does Spam Originate?Why Do We Care? Spam = Bots (Large armies of infected machines sending out spam) Bots = Sophisticated Malware Sophisticated Malware = Organized Crime More than 89% of all email messages were spam in 2010 - Symantec
  13. Spam is Big Business Rates for one million email addresses: $25 to $50 http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf 10,000 malware installations: $300–$800 Sending 100 million emails per day: $10,000 per month http://www.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf Cutwail’s profit for providing spam services: $1.7 - $4.2 million since June 2009 – Aug 2010 How much do the spammers gross per day? $7000 http://www.wired.com/magazine/2011/02/st_equation_spamprofits/
  14. CBL Breakdown By Country Country Count %total %cumu Rank Infect % India 1253890 18.80 18.80 1 4.465% Vietnam 565839 8.48 27.28 23.306% Brazil 479491 7.19 34.47 30.857% Indonesia 392814 5.89 40.36 4 3.163% Pakistan 383319 5.75 46.10 57.688% Russia 358142 5.37 51.47 60.912% China 222761 3.34 54.81 70.075%
  15. One Cause Of This Problem Many machines in these countries are running pirated copies of Windows. They are not getting security updates. They are vulnerable and get infected. Also, it can take a long time to download updates.
  16. Underground Economy Spammers also are involved in: CAPTCHA solving Email harvesting Custom software Bulletproof hosting Proxys
  17. Spam Volume From Jul 30- Aug 25, 2010 security researchers infiltrated the Cutwail spam network and discovered 87.7 billion emails were successfully sent
  18. Spam Content The Zeus/SpyEyeBanking Trojan Typically Uses: Greeting card Resume Invitation Mail delivery failure Receipt for a recent purchase
  19. Spam Volume on WUSTL Ironports - Feb 2011
  20. Department of Justice Disrupts International Cyber Crime Rings Distributing Scareware June 22, 2011 ”Today the Department of Justice and the FBI, along with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers, servers and bank accounts as part of Operation Trident Tribunal, an ongoing, coordinated enforcement action targeting international cyber crime. The operation targeted international cyber crime rings that caused more than $74 million in total losses to more than one million computer users through the sale of fraudulent computer security software known as scareware.”

  21. Phishing Examples

  22. Phishing Email
  23. Real or Phish? <http://michaelkellett com/ez/wustl.html>
  24. Real or Phish?
  25. Real or Phishing Site?

  26. Emails, Like Postcards, Are Not Encrypted

    Contact me to discuss encryption options for storing or sending sensitive information
  27. Social Security Number Email 1 From: BOB [BOB@WUSTL.EDU] Sent: Friday, April 01, 2011 12:54 PM To: ALICE [ALICE@NOTWUSTL.COM] Subject: Registration Request ALICE: Couldn't remember if I had already sent this request or not. Please register CHARLIE ( 111-11-1111 ) for the session Thank you BOB
  28. Social Security Number Email 2 From: BOB [BOB@WUSTL.EDU] Subject: FW: University talk To: ALICE@NONWUSTL.EDU, CHARLIE@NOTWUSTL.COM Date: Monday, April 4, 2011, 12:57 PM Dear Ms. ALICE and CHARLIE, I sent this e-mail a couple of weeks, but I haven't heard back from you yet, so I thought that I would send it again. Also, my SSN is 222-22-2222 and my home address is: 1234 Oak Ave. St. Louis, MO 63130

  29. Top 10 Security Tips

  30. Top 10 Security Tips For Everyone I Make sure the Windows Firewallis turned on Make sure all accounts on your computer have good passwords Make sure Windows Automatic Updates is on Install an Anti-Virus software package. Microsoft is now providing their Security Essentials anti-virus/anti-spyware for free to home users: http://www.microsoft.com/Security_Essentials
  31. Top 10 Security Tips For Everyone II I use Firefox with AdBlock Plus Run Secunia Personal Software Inspector (www.secunia.com). It is free, and it will tell you when you need to update your other software (Adobe, Java, Quicktime, RealPlayer, etc). Educate yourself on Phishing and don’t become a victim (Google: “phishing quiz”)
  32. Top 10 Security Tips For Everyone III Don’t click on links in e-mail. Don’t give out your password to anyone, for any reason, especially in an e-mail! Never enter your password into a site that is not using HTTPS.

  33. Passive Network Appliance

  34. When We Met July 3, 2009 One of Patrick’s students came to work for me as a student lackey worker PNA is Born First mention of PNA to me was Mar 18, 2010 PNA was installed at WUSTL Aug 11, 2010 It monitors our primary ISP link
  35. Security Data I Rely On I use flowlogs to look for: Scanners Spammers Connections to known bot C&C IP addresses Suspicious IRC traffic ad-hoc incidents (i.e. Law enforcement) I also look for: Connections to known bot C&C hostnames in DNS NMAP every IP address, every port (a LOT of data)
  36. Strange Printer Scan
  37. Strange Printer Scan Returns
  38. Hacker’s IP Addresses December 2010 -> well known local IT shop had a data breach I was able to get the hacker’s two IP addresses that were used to log into their network I used PNA to check if those IP addresses were anywhere on our network in the past week They were not
  39. Infected Laptop
  40. Infected Laptop Owner’s Response: “Hello, Thanks for the update! Yea this machine is hosed! I knew it was bad but, I didn't know it was that bad. I am in the midst of transferring all of my stuff to a new machine because I needed to reformat this laptop anyway. I can't get wireless signal either...lol!Thanks,”
  41. Infected RedHat Server Forensics -> four key hacker IP addresses Who else were these hackers talking to on campus? Two other machines were compromised
  42. Infected Lab Machine
  43. Law Enforcement Incident Person threatening/harassing a student LE provided: IP address, General time frame Using PNA we could tell them every time that suspect talked to a WUSTL machine
  44. Bot Example $ nslookup 64.74.223.41 ** server can't find 41.223.74.64.in-addr.arpa.: NXDOMAIN What to do? Passive DNS can help WU nslookup X = 64.74.223.41
  45. Passive DNS Within PNA PNA can optionally collect passive DNS data It can look at all outgoing DNS traffic Notify security community Google it to get more info, who owns it? Add it to my blackhole DNS server nslookup irc.berthabig.info=64.74.223.41

  46. Thanks!

    Brian Allen brianallen@wustl.edu Network Security Analyst http://nso.wustl.edu
More Related